Millions in Bitcoin gone after attack on Silk Road 2

The operators of Silk Road 2, an online Deep Web marketplace that can only be accessed through the anonymous web browsing system Tor, has been hacked. The attackers reportedly made out with millions of dollars worth of Bitcoins, all of the users’ funds that the site’s operators had been holding as part of transactions.

It’s been estimated that somewhere in the neighborhood of 88,000 bitcoins were stolen as a result of the attack. At the current market price, that haul is valued at approximately $54 million USD. However, Nicholas Weaver, a researcher at the International Computer Science Institute told Forbes that the amount of bitcoins stolen is likely closer to $2.6 million USD.

Silk Road 2 was launched last November, shortly after the original Silk Road was shut down by law enforcement authorities and its alleged mastermind, Ross Ulbricht, was arrested in San Francisco.

In an message posted to the Silk Road’s internal forum on Thursday, the site operator, who goes by the pseudonym Defcon, recounted the situation:

Our initial investigations indicate that a vendor exploited a recently discovered vulnerability in the Bitcoin protocol known as “transaction malleability” to repeatedly withdraw coins from our system until it was completely empty….This attack hit us at the worst possible time. We were planning on re-launching the new auto-finalize and Dispute Center this past weekend, and our projections of order finalization volume indicated that we would need the community’s full balance in hot storage. In retrospect this was incredibly foolish, and I take full responsibility for this decision.

The issue of transaction malleability is one that’s thrown the entire Bitcoin community into chaos in recent days. According to Coindesk, ?it’s an attack that lets someone change the unique ID of a bitcoin transaction before it is confirmed on the bitcoin network. The change makes it possible for someone to pretend that a transaction didn’t happen, if all the right conditions are in place.”

Conducted on a mass scale, as occurred earlier this week when an unknown entity used the technique to launch a coordinated denial of service attack on a number of Bitcoin exchanges around the world.

The attack caused MtGox, the single most high-profile Bitcoin exchange in existence, to temporarily halt all withdrawals until the issue of transaction malleability was dealt with. Others exchanges, such as the Slovenia-based Bitstamp, have followed suit.

In his or her note, Defcon admitted that the fault for the hack attack lays at the feet of the site’s operators. ?I have failed you as a leader, and am completely devastated by today’s discoveries,” Defcon wrote. ?I should have taken MtGox and Bitstamp’s lead and disabled withdrawals as soon as the malleability issue was reported. I was slow to respond and too skeptical of the possible issue at hand. It is a crushing blow. I cannot find the words to express how deeply I want this movement to be safe from the very threats I just watched materialize during my watch.”

Defcon wrote that there are currently efforts underway to track down the thief.

Even so, there are some who question Defcon’s version of events. In a post to Reddit’s r/Bitcoin forum, wrote a post charging that, ?it is clear that Silk Road 2 funds were stolen by the operators.”

Online black markets like Silk Road 2 have long been targets for hackers. Last December, hackers who targeted the online wallets of Sheep Marketplace stole over $100 million in Bitcoin the days before the marketplace shut down entirely.

Aaron Sankin is a former Senior Staff Writer at the Daily Dot who covered the intersection of politics, technology, online privacy, Twitter bots, and the role of dank memes in popular culture. He lives in Seattle, Washington. He joined the Center for Investigative Reporting in 2016.